Using Existing CAS to authenticate users on another website - ruby-on-rails

First time posting, but been a long time reader. I'm tasked to use my university's CAS to authenticate users on a ruby on rails app. I have my welcome page that has a link to the signon screen that then is forwarded to a dashboard with a ticket in the url. I'm a bit confused on how to take that ticket and authenticate the ticket in order to get the info of the user that has logged in. Please help. THanks in advance.

Your application must take the ticket returned by the user's browser and make a direct call back to CAS and "turn in" the ticket to retrieve the actual user information.
You basically have three protocols/endpoints that can be used: /cas/validate, /cas/serviceValidate, and /cas/samlValidate. See http://www.jasig.org/cas/protocol for details.
But instead of writing your own solution, check out Ruby on Rails CAS Clients for a couple of options.

Related

How do I get the ID of the currently authenticated Twitter user in a web application without using OAuth?

*Apologies in advance for the long background but I think it is necessary and helpful to other devs once this is answered.
Background
I am building a very social web-application in which there are several events that trigger social actions such as updating the user's Twitter status.
Currently, I use a library called "TweetMoaSharp" (.NET) to handle the Oauth workflows and events that trigger a status update or follow action work brilliantly as long as the user is briefly redirected to the Twitter authentication page.
To clarify, the user is not asked to re-authorize my app each time, but there is an unsightly flicker that lasts for 1-2 seconds while the user is directed to Twitter and then back to my app. This will annoy the end user as there are frequent Twitter interactions.
So--to relieve the situation, I use TweetMoaSharp to obtain an OAuth Access Token via the server and then store that token along with the user id returned from Twitter in my database. I then set a cookie on the client that contains the user's Twitter Id so that for future requests I can simply pass that ID to the server, grab the OAuth token form the database and do my business. No redirect required!
Problem Solved, Right?
Well, no. Stupidly, I overlooked the fact that this can cause a collision with multiple Twitter Accounts being used on the same page and ended up tweeting test-tweets to a second twitter account I own because I had changed Twitter sessions. This could happen to any user(s) who access multiple Twitter accounts from the same browser; a husband and wife for example.
Back to the Drawing Board
I thought to myself, "The Facebook JavaScript API" makes it super easy to get the id of the currently logged in user without going through a bunch of server-side token steps so I am sure Twitter offers the same approach." Ha! I haven't found one yet.
Bottom Line / Question
How do I get the ID of the currently authenticated Twitter user without redirecting them to Twitter (even for just a second)? If I can do this, then I can compare the returned ID to the one in my cookie and know if it is valid for my application's current session or if I need to have that (new) user authenticate as well so that I avoid "Tweeting" under the wrong account.
Thanks in advance.
Use your app tokens to do a verify credentials call
https://api.twitter.com/1.1/account/verify_credentials.json
The returned info is the logged in user.
Unfortunately limited to 15 calls per 15 minute window!

Ruby on Rails - LDAP based authentication

this is my first post on SO, but I have been reader for long time :)
I'm currently working on LDAP authentication for Rails app. I'm using ruby Net::LDAP library - I'm abble to succesfully bind and login using technical account and search for a specific user. What I don't know how to do, is how to verify finded AD user password with the one he provided during logon. Because of AD policy restriction, I can make binding only from the technical account - so the use sollution with binding every logging user to AD cannot be used here.
Thanks for any help
Check out .bind_as: According to the docs
http://www.rubydoc.info/gems/ruby-net-ldap/Net/LDAP#bind_as-instance_method
it is for testing authentication credentials.

Is this SSO workflow possible?

Let's say I have the following sites: ClientSiteA.com, ClientSiteB.com, ClientSiteC.com, MainServer.com
I am distributing a software to client sites. Anyone will be able to install the software so a site can not be considered trusted. MainServer.com will contain user information.
Users will interact with the software on client sites. A user will be able to click a login link on any client site which will bring up a popup. The popup can reside on MainServer.com. When a user logs in on any client, they will be logged in on ALL client sites as well as the MainServer.com. Remember, MainServer.com contains all user information.
I've done a lot of reading on SAML and OAuth2. Can someone tell me what is possible? If it is possible, which tools/workflows should I use? If this isn't possible, can someone tell me something I can accomplish that is similar to this?
FYI - I am trying to accomplish something like what Disqus does. If you login to Disqus on any site, you are logged into all the sites.
You can accomplish this with SAML, although it will involve browser redirects not popups.
The first time use hits a protected site (ClientA) it redirects to MainServer.com. The user logs in, MainServer gives them a session and redirects them back to the service provider with a SAML authentication statement which then lets them in.
When the user then visits ClientB.com, it also redirects to MainServer.com for authentication. Because the user is already logged at MainServer it can invisibly bounce them straight back to ClientB.com with a new authentication statement. The user barely if at all notices.
The problem with the pop-up window approach is that users have to give their credentials for site A to site B. This is a big security hole if site B isn't owned and controlled by Site A. Users should only give their credentials to the site that is authenticating them to prevent them being compromised. SAML and other federated/distributed auth mechanisms were designed with that in mind. I wouldn't want to give the keys to my email account to random sites on the internet but with this method I can log into stackoverflow with my gmail account.

User Authentication on iOS - How?

I wonder if someone may be able to help me please? I've been trying to find an article which can run me through username / password authentication within iOS with limited success. I found a good article from http://www.raywenderlich.com/6475/basic-security-in-ios-5-tutorial-part-1 and I thought this would answer my questions. Unfortunately, I hit a snag after following the tutorial to the letter whereby I was just presented with a blank screen. Whilst I've contacted Chris Lowe (the chap who done the tutorial) I haven't had a response back and I've hit a bit of a brick wall.
I wondered if anyone could point me in the right direction where I could learn how to do this and whether there were any code snippets which could be used etc etc?
Ideally I'm trying to get my application to prompt users for a username / email and password so that I can authenticate them using a web service connection from a company called parse.com. Its all very very new to me and I'm struggling but any help would be greatly appreciated.
Thanks in advance,
Sean
I realize this is an older post but what type of authentication were you trying to implement? A custom system where users enter a service specific email/password? Facebook auth? Twitter Auth? Google account auth? MSFT account auth?
If you're looking for any of the latter four, you may want to check out WA Mobile Services and these two tutorials:
-Getting started with authentication: https://www.windowsazure.com/en-us/develop/mobile/tutorials/get-started-with-users-ios/
-Authorizing users with server-side scripts: https://www.windowsazure.com/en-us/develop/mobile/tutorials/authorize-users-in-scripts-ios/
Essentially, once you obtain the Client ID and Client Secret from the relevant service, you're then your to write a method that checks to see if a user is already logged in. If not, you'll then display the relevant login option (the first tutorial shows a Facebook auth walk through).
If you were looking for a custom authentication system that allows users to create a service/app specific account, then you might find this post helpful: http://thejoyofcode.com/Exploring_custom_identity_in_Mobile_Services_Day_12_.aspx
Hope this helps,
Miranda

Direct authentication of instagram user without showing the login page or any authentication

I am making an instagram application using rails. Is it possible
to save some kind of 'token' or 'id' in my database that can be used
to automatically authenticate the user and allow the application to
access the user's profile data, images,etc,etc without asking the user
to enter the login details/authentication again and again. If it is possible please
tell me how it can be done.
Thanks in advance! :)
Yes, it is possible to get a token. Take a look at the documentation concerning authentication, it's pretty comprehensive.
http://instagram.com/developer/authentication/

Resources